ETSI TS 119 461: The Technical Standard Behind eIDAS-Compliant Identity Proofing

Key Takeaways

• ETSI TS 119 461 is the primary European technical standard for identity proofing, setting policy and security requirements for how identities must be verified in trust service contexts.
• Compliance is mandatory for QTSPs (Qualified Trust Service Providers) and has been formally referenced by eIDAS 2.0 through EU Implementing Regulation 2025/1566, in force from August 2025.
• The standard covers multiple verification methods, including physical presence, attended and unattended remote identity proofing, and eID-based authentication.
• Version 2.1.1, published in February 2025, introduced a higher Extended Level of Identity Proofing (LoIP) and stronger controls for attack detection, particularly against emerging fraud vectors.
• Non-QTSP IDV providers are not legally required to comply, but alignment with the standard is becoming a competitive and procurement differentiator.

If you work in identity verification, you have likely heard eIDAS 2.0. It’s been often discussed lately as a regulatory turning point for Europe. That said, the regulation itself doesn’t define how to verify an identity. That job belongs to a technical standard: ETSI TS 119 461.

If you’re operating in or selling into the European market, understanding this standard is not an option anymore. It defines the bar that qualified trust service providers must meet, and it is increasingly shaping what enterprise buyers expect from every IDV provider, regardless of regulatory status.

What Is ETSI TS 119 461?

ETSI TS 119 461 is a technical specification published by the European Telecommunications Standards Institute (ETSI). It defines the policy and security requirements that identity proofing service components must meet to reliably verify a person’s identity, particularly in remote and digital contexts.

The standard operates within the broader eIDAS framework. eIDAS (Electronic Identification, Authentication and Trust Services) is the EU regulation that governs how electronic identities and trust services are recognized across member states. ETSI TS 119 461 provides the technical backbone that makes eIDAS identity verification requirements enforceable and auditable.

What this means in practical terms is that the standard tells organizations exactly how evidence must be captured, processed, and validated to confirm a person’s identity in a way that satisfies European regulatory expectations. It covers everything from document authenticity checks to biometric verification to the handling of eID means.

The most recent version, v2.1.1, was published in February 2025 and was formally mandated as the conformity assessment reference through EU Implementing Regulation 2025/1566, which came into force in August 2025.

What ETSI TS 119 461 Requires for Remote Identity Proofing

The standard defines several distinct use cases for identity proofing, each with its own requirements. For organizations focused on digital onboarding, the remote identity proofing use cases are the most relevant.

Attended remote identity proofing involves a human operator assisting the process in real time, typically via video. The standard sets requirements for operator training, session integrity, and the quality of document and biometric capture.

Unattended remote identity proofing is fully automated. This is the highest-friction remote category under the standard, requiring high-quality document capture, robust liveness detection, and in some cases post-process manual validation. The standard requires that unattended remote verification achieve a level of assurance equivalent to physical presence.

eID-based identity proofing uses existing verified eID means, such as national digital identity credentials, as the basis for verification. As the European Digital Identity Wallet rolls out under eIDAS 2.0, this use case will grow significantly.

Across all remote methods, the standard requires:

• Document authenticity verification, including checks against known forgery patterns and security feature validation
• Biometric matching between the document photo and the live applicant
• Liveness detection to prevent presentation attacks using photos, videos, or masks
• Injection attack resilience, a requirement strengthened in v2.1.1 to address digital injection of synthetic or manipulated biometric data
• Data integrity controls to ensure evidence is not tampered with between capture and processing
• Audit logging sufficient to support conformity assessment and incident investigation

The standard also defines two Levels of Identity Proofing (LoIP): Baseline LoIP, aligned with original eIDAS requirements, and Extended LoIP, introduced in v2.1.1 to meet the stricter requirements of eIDAS 2.0 for issuing qualified certificates and qualified attestations of attributes.

Mandatory vs. Voluntary: Who Must Comply?

ETSI TS 119 461 is mandatory for Qualified Trust Service Providers (QTSPs). A QTSP is an organization that has been granted qualified status by a national supervisory body in an EU member state and provides services such as qualified electronic signatures, qualified certificates, or qualified electronic registered delivery.

Under eIDAS Article 24 and the 2025 Implementing Regulation, QTSPs must use ETSI TS 119 461 v2.1.1 as the reference standard for their conformity assessments. Existing QTSPs are required to submit a compliance report in 2026 demonstrating continued conformity of their identity proofing processes.

For general IDV providers operating outside the QTSP framework, compliance is voluntary. However, the distinction is narrowing in practice. Several factors are pushing non-QTSP providers toward alignment:

• Procurement requirements. Enterprise buyers in regulated sectors, particularly banking and payments, are beginning to ask whether their IDV vendors align with ETSI standards, even if those vendors are not themselves QTSPs.
• AMLA and AML regulation. The Anti-Money Laundering Authority and related technical standards are expected to reference eIDAS-aligned verification methods as AML obligations tighten across Europe.
• Market positioning. For IDV providers that serve or aspire to serve QTSPs as Identity Proofing Service Providers (IPSPs), conformity with ETSI TS 119 461 is a functional prerequisite.

Why ETSI TS 119 461 Matters for IDV Providers in 2026

The timing is significant. With the August 2025 Implementing Regulation now in force and a 2026 QTSP recertification deadline on the calendar, ETSI TS 119 461 is moving from background standard to active compliance requirement within a compressed window.

Several trends make this particularly consequential for identity verification providers:

The threat landscape has changed. Version 2.1.1 was updated specifically to address attack resilience against emerging fraud vectors, including digital injection of synthetic biometrics. As deepfake and generative AI tools become more accessible, standards bodies are encoding defenses against them into conformity requirements.

eIDAS 2.0 is expanding the scope of regulated identity. The European Digital Identity Wallet introduces reusable digital identities and raises the bar for what counts as a high assurance verification. Providers that cannot meet Extended LoIP will be excluded from use cases tied to the wallet ecosystem.

Buyers are becoming more sophisticated. Enterprise procurement teams in financial services, payments, and public sector are increasingly looking for verifiable standards alignment, not just vendor claims. ETSI certification provides an auditable basis for that assurance.

Regulatory convergence is accelerating. ETSI TS 119 461 is already referenced by eIDAS 2.0 and is expected to influence future AMLA technical standards and updates to EBA guidelines on remote customer onboarding. Providers that align now will be better positioned as these requirements propagate.

How to Evaluate Whether an IDV Provider Meets ETSI Standards

For organizations evaluating IDV vendors, particularly in European markets, the following checklist covers the core capabilities required by ETSI TS 119 461:

Document verification

• Authenticates physical and digital identity documents against known security features
• Detects forgery patterns and tampered documents
• Supports NFC chip reading for electronic documents where applicable

Biometric verification

• Performs facial matching between document photo and live capture
• Applies certified liveness detection to counter presentation attacks (photos, videos, masks)
• Addresses injection attack vectors in the biometric pipeline

Remote session integrity

• Maintains data integrity between capture and processing
• Supports both attended and unattended remote verification use cases
• Provides audit logs sufficient for conformity assessment review

Regulatory alignment

• Demonstrates alignment with ETSI TS 119 461, ideally through third-party conformity assessment
• Supports Baseline LoIP at minimum; Extended LoIP for QTSP-adjacent use cases
• Can operate as a recognized Identity Proofing Service Provider (IPSP) for QTSPs

Operational standards

• Maintains documented security policies covering data handling, storage, and access controls
• Undergoes regular independent security audits
• Has clear incident response and breach notification procedures

If a provider cannot clearly address these areas, that is a meaningful gap in a regulated procurement context.

FAQ